Windows 7 Enterprise locked School Computer

Discussion in 'Windows 7' started by sedahs, Apr 2, 2014.

Thread Status:
Not open for further replies.
  1. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,081
    13,977
    340
    The trick I had posted is based on the fact that win+u key calls utilman.exe @winlogon with SYSTEM rights.
    When you rename cmd.exe to it it fires up a cmd-prompt with SYSTEM rights as well...this is actually a ridiculous security hole and typical for M$ OSes. Everybody can gain local admin rights on every windows client!!!!


    Anything else is the same...:)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Humphrey

    Humphrey MDL Expert

    Dec 13, 2011
    1,466
    990
    60
    Well its a pretty handy trick. I've had to use it a few times to get into domain controlled computers for the pawn shops I geek for. Last set I did were medical and client information stored on each one. Needless to say I deleted what I found.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sedahs

    sedahs MDL Novice

    Apr 2, 2014
    14
    0
    0
    #23 sedahs, Apr 4, 2014
    Last edited: Apr 4, 2014
    (OP)
    Hi Yen,

    Didn't work. Won't pop the cmd.exe at all.

    At first, it wouldn't allow me to rename it at all without being TrustedInstaller

    Next, I downloaded Unlocker and used it to rename it from another computer.

    Then on re-boot just replaced it with another copy of utilman.exe.

    I then scanned the HDD for all copies of utilman.exe and found one in a winsx directory with a huge keyname.
    I wasn't able to re-name it without a re-boot which is just stupid as it has nothing to do with the PC I am on, the hdd is connected via USB and not running the OS so, why the hell would I need to re-boot for???

    So, I found a way to push my CMD on my local computer to login via TrustedInstaller (token method) and renamed it from the cmd shell.

    Plugged the laptop drive back in and, no cmd screen. No utilman.exe screen either, alt+tab does nothing. Back to square one.
    Next, I grabbed a password Linux utility and looked on the local registry hive, it had only a "printercfg" account and a "Maintenance" account. Nothing to show my daughters account.

    I hacked the "Maintenance" account with a password reset to clear it and re-booted in to Recovery mode.
    From here I could log in to maintenance and I tried to unlock administrator using "net user Administrator /active:yes"
    by loading up cmd, still cant find my daughters account. I was able to elevate it to Maintenance to admin level though.
    Well, there is no Administrator account, it was deleted however, I could now log in to Maintenance locally by specifying the "machine name\maintenance" and now, I can create other local accounts.

    My Daughters account is Domain locked however, I can now install programs locally and she can log in to her Domain account off-line so, she's happy.

    They must have a separate key-store somewhere I haven't found yet. I did find her files and account name on a separate partition under a data directory so this is very um-usual.

    So, good news, all is well however I can't promote her account to Administrator level, I can create her a new local account and she still has access to applications so far at least.

    Thanks for your help and guidance, I used the resources you provided to help hack it, at least I can install stuff on here for my daughter to use, i'd love to know how they made such a beast of a secure computer though. was very difficult to get in to!. I wanted to post what I did in step by step format so others can see if interested.

    To Elevate a cmd.exe to TrustedInstaller level, I used this resource. (put in the standard html url director at the front of this next bit to look at the website)vorck.com/windows/ntauth.html
     
  4. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    18,682
    18,582
    340
  5. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,081
    13,977
    340

    For the sake of curiosity I just tried it here @ a company client. It still works!!!
    win+u fires up a cmd with SYSTEM rights.
    Since nothing (not even original utilman) fired up at your attempt, I assume you have not renamed properly (no Utilman.exe available at \system32 that could have been called).
    You can't be trustedinstaller, but you can take ownership...or even better rename it when booted from Linux CD...


    Anyway I am glad that it worked the other way for you.:)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sedahs

    sedahs MDL Novice

    Apr 2, 2014
    14
    0
    0
    #28 sedahs, Apr 4, 2014
    Last edited: Apr 4, 2014
    (OP)
    That's what I thought as well but it's renamed right. I triple checked.
    I know it's right because the assisted program window won't pop either where before when it was the original version of 1.2k something, it did pop up the window.
    I have tried this fix on our company laptops too and it works! just not on her laptop. They (the school) do something funky, I have no idea.
    As for the Trusted Installer raised permissions, have a look at the link I put up. I wasn't allowed to type the htlp // because of my limited posts.
    You may find it interesting.
    As Trusted Installer runs as a service and isn't actually an account, and it's the highest privilege of Windows and overrides all and any account based permissions, this can get around any file lock/hidden directory or domain lock files as it trumps all other accounts.
    What you do as far as I can work out so far, is open and close the Trusted Installer daemon and get it to re-spawn cmd.exe on another PID that was opened by Trusted Installer. Anyway, it works. You become a super user that has more rights than Administrator based accounts, you are running as SYSTEM. Easy way to check, run procexp.exe from under the Administrator opened cmd.exe and then spawn one using the Trusted Installer hack stuff on the page I linked from a cmd.exe launched using the Token Method and you will see, one copy of procexp.exe is running as Administrator, the other is running as SYSTEM. It's really useful, well in this case, it was for me.

    Anyhow, this was the strangest config I have ever tried to break so far and totally legit!! I really had a true need to do it! not just for fun.

    Thank you for your help, all of you. I have learnt quite a bit.
     
  7. sedahs

    sedahs MDL Novice

    Apr 2, 2014
    14
    0
    0
    This is what I used!! ha!
    I had an older version from CD and couldn't remember the web site!! Thanks for that, i'll update this usb stick now.
    Although i had no Administrator account on the computer, there was an account called "printercfg" and I managed to elevate and reset it to log in locally.
    A very secure system for Windows!
    this still gave me no access to her domain based account however, I could install applications locally after I changed a few things from a super elevated account. Such a terrible use of words, not sure how to explain it better other than run cmd.exe as administrator and then re-spawn it under Trusted Installer to be logged in as SYSTEM in cmd.exe.
     
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,081
    13,977
    340
    I am using Petter N Hagen's Offline NT Password and Registry editor for more than 10 years already as well, it's great.

    Strange thing is that nothing has fired up at your attempt by pressing win+u, either cmd or original utilman should have fired up...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. sedahs

    sedahs MDL Novice

    Apr 2, 2014
    14
    0
    0
    I agree!! I have not seen something so locked down before. Makes our office build look amateur
     
  10. zahnoo

    zahnoo MDL Senior Member

    Feb 2, 2011
    387
    35
    10
    If wishes were horses, all beggars would ride. Sometimes you have to make compromises and in your case a format and reinstall may be your only viable choice. As to her programs, nothing is to say they will keep working or be what she needs as time passes. I've never seen a situation where appropriate alternate software wasn't available. It wasn't always free, but something has always been there.

    The decision you're facing is how much more time and effort are you going to expend on this machine? How well is your daughter being served by keeping on getting the same undesirable results? Everything that has a beginning has an ending. And you may well be at the end of this particular OS installation if not the computer in general.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. rjk123

    rjk123 MDL Member

    Apr 29, 2011
    101
    42
    10
    @Daniel90, @zahnoo
    Did you guys notice that this thread was quiet for 5 months before you bumped it? The OP is probably long gone.
     
  12. zahnoo

    zahnoo MDL Senior Member

    Feb 2, 2011
    387
    35
    10
    So? What's your point?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. rjk123

    rjk123 MDL Member

    Apr 29, 2011
    101
    42
    10
    I suppose you would also talk on the phone long after the other party has hung up?
     
  14. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,719
    6,741
    270
    sometimes the best of friends, are the silent ones :band: :p
     
  15. rjk123

    rjk123 MDL Member

    Apr 29, 2011
    101
    42
    10
    I like talk to myself, because that is the only way I will get an intelligent answer.
    :roll1:
     
  16. urie

    urie Moderator
    Staff Member

    May 21, 2007
    9,039
    3,388
    300
    Just to let you all know member Daniel90, who resurrected the thread replying to post from April is a spammer all his posts were to do with passwords closing thread now.